From looking at the source code, the RFC accurately describes how
PGP works. What do you think gets hashed on public subkey packets,
if not 0x99, a two octet length, and the packet body?
ulf(_at_)fitug(_dot_)de (Ulf =?iso-8859-1?Q?M=F6ller?=) writes:
According to RFC 2440, if a four-octet length Public Subkey Packet
is bound to a key, the signature is computed over a packet with a
two-octet length field.
In violation of the RFC, both PGP and GnuPG reject such signatures.
(Section 5.2.4: "When a signature is made over a key, the hash data
starts with the octet 0x99, followed by a two-octet length of the key,
and then body of the key packet. (Note that this is an old-style
packet header for a key packet with two-octet length.) A subkey
signature (type 0x18) then hashes the subkey, using the same format as
the main key.").
Hal